Resource-Centric Network Cyber Attack Warning System

1. A computing system configured to generate an alert related to a cyber attack, the computing system comprising: a computer readable storage medium having program instructions embodied therewith; and one or more processors configured to execute the program instructions to cause the one or more processors to: receive contextual information about a resource; determine, based at least in part on the contextual information, one or more indicators associated with an activity that is performed on a computer network; determine, based at least in part on the one or more indicators, a set of events reflecting activity that is indicative of a cyber attack; determine, based at least in part on the contextual information, a set of weights, from a plurality of sets of weights, to apply to the set of events; determine, based at least in part on the set of events, the set of weights, and the contextual information, a risk score for each event, wherein the risk score indicates a probability that the resource is at risk from the event of a cyber attack; and in response to the risk score for an event satisfying a threshold value, generate an alert.

2. The computing system of claim 1 , wherein the alert comprises information that at least partly indicates the contextual information that contributed to the risk score satisfying the threshold value.

3. The computing system of claim 1 , wherein the contextual information comprises at least one of: information about what users are permitted to access the resource, information about ordinary hardware control request patterns, information about typical usage patterns of the resource by authorized user, an access policy of the resource, a physical location of the resource, a value of the resource, or a location of the resource in a network topology of a network of the organization.

4. The computing system of claim 1 , wherein the one or more processors are further configured to execute the program instructions to cause the one or more processors to: generate a plurality of alerts based on one or more risk scores for one or more respective events satisfying one or more threshold values; and present the plurality of alerts to an analyst in an order that is at least partially determined by respective risk scores of the plurality of alerts.

5. The computing system of claim 1 , wherein the one or more processors are further configured to execute the program instructions to cause the one or more processors to: cause the alert to be presented using a graphical user interface comprising a representation of the risk score associated with the resource.

6. The computing system of claim 5 , wherein the graphical user interface further comprises a representation of a total risk score of a plurality of resources, wherein the total risk score is determined by combining the risk scores in the plurality of resources.

7. The computing system of claim 6 , wherein the one or more processors are further configured to execute the program instructions to cause the one or more processors to: combine the risk scores in the plurality of resources using a monotonically converging function.

8. The computing system of claim 6 , wherein the one or more processors are further configured to execute the program instructions to cause the one or more processors to: provide a record-keeping functionality, wherein one or more interactions between an analyst and the warning system are recorded.

9. The computing system of claim 6 , wherein the one or more processors are further configured to execute the program instructions to cause the one or more processors to: receive a commentary input from an analyst; associate the input with one or more alerts; and cause presentation of the input together with the one or more alerts.

10. The computing system of claim 1 , wherein the one or more processors are further configured to execute the program instructions to cause the one or more processors to: generate a plurality of alerts that is integrated into a chart or graph visualization.

11. The computing system of claim 10 , wherein the one or more processors are further configured to execute the program instructions to cause the one or more processors to: integrate into the chart or graph a plurality of events related to a potential cyber attack against the resource and for which no alert has been generated.

12. The computing system of claim 11 , wherein the one or more processors are further configured to execute the program instructions to cause the one or more processors to: further include into the chart or graph historical alerts that have previously been responded to by an analyst.

13. The computing system of claim 1 , wherein the threshold value is based at least in part on a random value.

14. A method for generating an alert related to a cyber attack, the method comprising: by one or more processors executing program instructions: receiving contextual information about a resource; determining, based at least in part on the contextual information, one or more indicators associated with an activity that is performed on a computer network; determining, based at least in part on the one or more indicators, a set of events reflecting activity that is indicative of a cyber attack; determining, based at least in part on the contextual information, a set of weights, from a plurality of sets of weights, to apply to the set of events; determining, based at least in part on the set of events, the set of weights, and the contextual information, a risk score for each event, wherein the risk score indicates a probability that the resource is at risk from the event of a cyber attack; and in response to the risk score for an event satisfying a threshold value, generating an alert.

15. The method of claim 14 , wherein the alert comprises information that at least partly indicates the contextual information that contributed to the risk score satisfying the threshold value.

16. The method of claim 14 , wherein the threshold value is based at least in part on a random value.

17. The method of claim 14 , the method further comprising: by the one or more processors executing program instructions: receiving a commentary input from an analyst; associating the input with one or more alerts; and causing presentation of the input together with the one or more alerts.

18. Non-transitory computer-readable storage comprising instructions for causing one or more computing devices to perform operations comprising: receiving contextual information about a resource; determining, based at least in part on the contextual information, one or more indicators associated with an activity that is performed on a computer network; determining, based at least in part on the one or more indicators, a set of events reflecting activity that is indicative of a cyber attack; determining, based at least in part on the contextual information, a set of weights, from a plurality of sets of weights, to apply to the set of events; determining, based at least in part on the set of events, the set of weights, and the contextual information, a risk score for each event, wherein the risk score indicates a probability that the resource is at risk from the event of a cyber attack; and in response to the risk score for an event satisfying a threshold value, generating an alert.

19. The non-transitory computer-readable storage of claim 18 , wherein the threshold value is determined at least in part randomly.

20. The non-transitory computer-readable storage of claim 18 , wherein the alert comprises information that at least partly indicates the contextual information that contributed to the risk score satisfying the threshold value.